The war on talent in cybersecurity

5 May, 2017

By Koen Maris,
Chief Technology Officer – Cyber Security at Atos

IT talent is far too scarce in our contours and cybersecurity talent is even scarcer. Thus, companies are often in a war to attract these people. However, it often appears to be difficult to keep their white knights within the company. The traditional talent management approach is inadequate and there are a number of good reasons for that.

Hard skills detriment of soft skills

Many cybersecurity specialists are technically highly gifted, but sometimes have trouble communicating to the outside world about what they are doing. If there is no one who cares about this and who proposes the right track to keep these talents triggered and motivated, you’ll see them leave frustrated and discouraged after some time.

Promising a lot, while giving little

In the battle for talent, promises that prove untenable in practice are often made, such as the chance of training and to attend conferences like Defcon and Brucon. This may seem like a very banal reason to leave a business, but the hard reality is that most cybersecurity experts rarely choose a company because of the high wage.

Promising a lot, while giving little– part 2

“A fascinating job with lots of variety and career prospects.” The companies that write down these job descriptions really mean that they want to offer every employee a nice career path. But in reality it turns out that these experts are difficult to replace, meaning that the white knight often remains working on the same project in the same position.

Consultants come from Venus, ethical hackers from Mars

Most of the cyber security projects we currently do for customers require both the business skills of traditional consultants and the technical and analytical skills of security experts. Their work methods are opposite to each other, but that is of no importance to the customer, who wants to hear what the security issues are, but also how to solve them. Likewise, you need someone who can reconcile both and this is what often lacks within companies.

Consultants come from Venus, ethical hackers from Mars – part 2

Not only the work method of cybersecurity experts differs greatly from the business consultant, but the mentality and expectations of corporate culture are far apart as well. A company that focuses too much on the number of hours worked will soon have a problem with the ethical hackers. They want to be judged by their results, not by the amount of hours they have spent in the office. In addition, they have lacquer on hierarchy and outward appearance, so the business dress code that is used in the traditional consulting firms, for example, is not an attractive prospect.

Cyber security is a mindset, not a training

“No cybersecurity experts available? Then we’ll quickly re-educate some consultants from the bench!” In practice, it’s clear that you cannot just train cybersecurity experts. In particular ethical hacking is much more a mindset than the result of a decent training. Even “IT’ers” cannot simply be transformed into ethical hackers. A good “IT’er” learns to understand the logic and patterns of software and technology to make the best possible use of it. A good ethical hacker just does the reverse; with each infrastructure, the question arises: “How do I get this system disregarded?”. They have to question everything, and that’s something you can’t learn in a cybersecurity crash course.

More about Koen Maris:

LinkedIn | Twitter